Describe the Issue
Controls 5.5.1.1-3 under cis_5.5.x.yml do not work as intended for a number of reasons:
1) Their loops are reliant on a non-existent return value (stdout_list).
2) There are flaws in the shell command logic in 5.5.1.1 and 5.5.1.2
3) with_items: should be used instead of loop:
4) They all use a conditional of (item != 'root') and (not ubtu22cis_uses_root) which will never affect the root account even if ubtu22cis_users_root is set to false
Running these controls does not change the password expiration settings on existing accounts.
Expected Behavior
Running these controls should result in existing users under /etc/shadow having their password expiration settings updated if they are defined under variables ubtu22cis_pass.max_days; ubtu22cis_pass.min_days; ubtu22cis_pass.warn_days.
Actual Behavior
Password expiration settings listed above are not updated. Running ansible-playbook -vvv shows something similar to (truncated):
Describe the Issue Controls 5.5.1.1-3 under cis_5.5.x.yml do not work as intended for a number of reasons:
1) Their loops are reliant on a non-existent return value (stdout_list). 2) There are flaws in the shell command logic in 5.5.1.1 and 5.5.1.2 3) with_items: should be used instead of loop: 4) They all use a conditional of
(item != 'root') and (not ubtu22cis_uses_root)
which will never affect the root account even if ubtu22cis_users_root is set to falseRunning these controls does not change the password expiration settings on existing accounts.
Expected Behavior Running these controls should result in existing users under /etc/shadow having their password expiration settings updated if they are defined under variables ubtu22cis_pass.max_days; ubtu22cis_pass.min_days; ubtu22cis_pass.warn_days.
Actual Behavior Password expiration settings listed above are not updated. Running
ansible-playbook -vvv
shows something similar to (truncated):Environment (please complete the following information):
Possible Solution I have replaced the control tasks with the following and tested successfully: